Paw is a cross platform application to manage your passwords and identities securely.

It is written in Go and uses Fyne as UI toolkit and age as encryption library.

This software is work in progress, and didn't went through a full security audit.

Do not expect it to be bug free and do not rely on it for any type of security.

• Cross platform application (linux, macOS, Windows, BSD ...) with a single codebase
• Desktop and CLI application
• Minimal direct dependencies
• Open source: code can be audited
• Audit passwords against data breaches
• TOTP support
• Password import/export

• Automatically detect and use password rules for known web sites that require ones
• Automatic backup / syncronization
• Mobile / Web applications
• Stateless password derivation support
• Unicode password support

go install lucor.dev/paw/cmd/paw@latest

go install lucor.dev/paw/cmd/paw-cli@latest

To try the development version or help with testing:

# Desktop application
go install lucor.dev/paw/cmd/paw@develop

# CLI application
go install lucor.dev/paw/cmd/paw-cli@develop

One or more vaults can be initialized to store passwords and identities.

When the vault is initialized user will be prompt for a vault name and password. An age key is generated and it is encrypted using an age Scrypt recipient with the provided password and saved on disk (key.age) The X25519 identity and its recipient from the key file are used to decrypt and encrypt the vault data. Each item is stored separately on disk so that the content can be decrypted manually using the age tool, if needed. All the items' metadata are encrypted and stored into the vault.age file so that no information are in clear text.

Random password are derived reading byte-by-byte the block of randomness from a HKDF cryptographic key derivation function that uses the age key as secret. Printable characters that match the desired password rule (uppercase, lowercase, symbols and digits) are then included in the generated password.

Where a generated password is not applicable a custom password can be specified.

Vault internally is organized hierarchically like:

- vault
    ├── login
    |    └── www.example.com
    |    └── my.site.com
    ├── password
    |    └── mypassword
    └── note
         └── mysecretnote

where login, password and note are the Paw items, see the dedicated section for details.

Items are special templates aim to help the identity management.

Currently the following items are available:

• login
• note
• password

The threat model of Paw assumes there are no attackers on your local machine.

• Fork and clone the repository
• Make and test your changes
• Open a pull request against the develop branch

See contributors page

• age for the encryption library
• Fyne for the UI toolkit

Also thanks to these Open Source password managers that inspired Paw:

• gopass
• lesspass
• pass
• passage
• passgo